5

I know tools that help in identifying security vulnerabilities in source code (static analysis tools), like Findbugs for Java or Pixy for PHP, but I would like to know good free opensource tools that help in the task of documenting and following code when you are doing a manual source code review. It is interesting to be able to share the code commenting work between different testers/reviewers/developers/analysts.

Just another time: I'm not looking for static code analysis tools, I'm looking for tools that help the reviewer to do the manual review by making it easier to browse the code, write and share comments with other team members, follow coverage of the review, etc...

kinunt
  • 2,759
  • 2
  • 23
  • 30
  • [GitHub pull requests](https://help.github.com/articles/using-pull-requests). Every commit goes onto a branch, pull requests are issued when the feature or bugfix is ready to go, and it's merged when enough people give it a thumbs-up. – Stephen Touset Apr 23 '13 at 20:57

2 Answers2

3

I'd suggest looking at Agnitio which sounds like a good match for what you're trying to do. Another option might be Dradis although it's a bit more of a general information sharing/organisation tool.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
0

RATS is the open source grand-daddy for finding candidate points in an application.

RIPS is a lot better than pixy for PHP source code analysis. It is a lot newer and more advanced than RATS.

But really, grep is the tool of choice. All advanced SCA tools, no matter how expensive they are will have false posties and false negatives. grep is useful for tracking down strange problems, and identical vulnerabilities in multiple parts of the code base.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 1
    I'm sorry but as I said **I'm not asking for a tool that scans the source code** and identifies vulnerabilities. I'm asking for a tool that helps **manual inspection** making it easier to anotate and browse the source code, share the comments with other members in the team, knowing the actual coverage of the review, etc... From RIPS site: "RIPS is a static source code analyser for vulnerabilities in PHP webapplications" From RATS site: "It is a tool for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code" – kinunt Apr 23 '13 at 17:57
  • 2
    @kinunt you have a 166 karama and this post will probably be closed. You should change your question. As a pen tester grep is probably my most powerful tool at my disposal. – rook Apr 23 '13 at 18:12